Malicious Office (OOXML) — malware analysis report

Static analysis result for SHA-256 c96953d4c0a20bbd…

MALICIOUS

Office (OOXML)

41.6 KB Created: 2021-06-22 12:43:05 UTC Authoring application: Microsoft Excel 16.0300
MD5: c0699dcab5ca69c4db47280ceaf3cd27 SHA-1: a9d1607e2162f0b50e06ac7c41b63d9f7a54fcd1 SHA-256: c96953d4c0a20bbd9e200f1106e115b892ed9da9efe3babf69a6a36d7bbb8847
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1059.003 Windows Command Shell T1204.002 Malicious File

The file is an OOXML document containing VBA macros. Heuristics indicate the VBA code references cmd.exe and PowerShell, suggesting it's designed to execute commands on the host system. The GetObject call is also suspicious. The VBA code appears to be obfuscated, but its likely purpose is to download and execute a secondary payload.

Heuristics 4

  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
  • VBA project inside OOXML medium OOXML_VBA
    Document contains a VBA project — VBA macros present

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
b5b4798a3d1cd5bdf44e378262bcf413bffa4cfc77da56c130968ead217713e5		 vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 35036 bytes
vbaProject_00.bin
bfb40764975455997ba792e9c41670c7cd6e73272cff3d1bd6632d84c358e30d		 vba-project OOXML VBA project: xl/vbaProject.bin 11264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.